I've attended many Google conference sessions about Android security over the years and, for the most part, they focused on how well Google secures the world's largest operating system. But while execs talked about how Android had a different philosophy than a certain unnamed and more closed mobile OS, they rarely directly addressed the pervasive belief that Apple is better at security.

Google I/O 2018 was different. After the familiar discussions about philosophy and comparing the likelihood of downloading a dangerous Play Store app to being hit by lightning, things got measurable.

"The protective powers of Android is on par with any other platform," declared Dave Kleidermacher, Google's lead for mobile security.

To demonstrate that, he showed how the percentage of dangerous installations from the Play Store went from extremely small to vanishingly tiny over time. Dangerous installations from outside the Play Store have dropped as well.

Kleidermacher attributed this to locking down permissions in the operating system and APIs, as well as investments in malware detection. For years, Google has been able to detect and track potential malware threats even when the user gets their apps from third-party stores. This has been a long-running project for Google, and highlights that nearly all malicious apps come from outside Google Play.

The best way to guard against attacks is to make it expensive. "We work really hard to...make Android more difficult and more expensive to exploit," said Kleidermacher.

To demonstrate, he showed that the payouts for bug bounties and Pwn2Own competitions put a high price on critical Android exploits. Similarly, Google has heard anecdotally that Android exploits for sale on the dark web have greatly increased in price, Kleidermacher said.

"Lots of people want to purchase exploits," he said. "As exploits get more difficult, the law of supply and demand says the price goes up."

Pushing Forward

Building from this, Kleidermacher outlined how Android P will allow the OS to be used for things previously thought too sensitive to trust to any mobile device—let alone an Android-powered one.

"We don't vote for prime minister from our phones," said Kleidermacher. "It's our goal to break through that ceiling."

Key to that is Android Protected Confirmation. These are confirmation screens handled by a sequestered Trusted Execution Environment (TEE), and can be used to get secure verifications from a user. The TEE runs separate from the operating system, keeping it safe from attack and manipulation. When a user is prompted to confirm an action, a screen appears instructing the user to press the power button to verify that it's indeed what they want. The input, said Kleidermacher, is guarded in the TEE and signed by a cryptographic key that never leaves that secure area.

"Even if you had root level malware, the integrity of this code could not be corrupted," he said.

Protected Confirmation could be used to verify critical requests. On stage, we saw examples from Duo Security and Royal Bank of Canada that used Protected Confirmations to verify logins and person-to-person money transfers.

Most dramatic, however, was an insulin pump from Bigfoot Biomedical. A user can view their current insulin levels in Bigfoot's app, and then select how large an insulin dose they want to receive. A Protected Confirmation screen appears, and if the user agrees by tapping the power button, the pump will administer the insulin. The level of trust required to operate not just a medical device, but one that could actually injure or kill someone, is enormous. And Google seems to think that time has come.

Some Strings Attached

The TEE is critical to making Protected Confirmations work, and that requires specific hardware. "Secure hardware is a huge focus area for us, because it can provide defenses to attacks that software alone cannot handle," explained lead security product manager Xiaowen Xin.

This means some of the new security functions in Android P will require more than just a device that runs a particular operating system, but with specific hardware as well. For example, Kleidermacher told the audience that Google partnered with Qualcomm to ensure that its next-generation chipset will have the Protected Confirmations API built-in.

Digital and Physical Privacy

Interest in individual security has been running high in the wake of the Cambridge Analytica scandal, in which the information from millions of Facebook users was hoovered up and perhaps used to target ads during the US election. Android will be addressing privacy in a few ways with Android P.

For one, P introduces Lock Down Mode, whereby your phone will no longer display notifications and not accept any form of biometric login. Only your PIN can reactivate the device. This is to guarantee security in a situation when your device is out of your hands, like at a US border crossing. As we've seen, there's little privacy available in this specific setting and biometrics, while convenient, are easier for law enforcement to compel you to supply.

Xin also explained that apps in the background will no longer be able to access the microphone, camera, or phone sensors. Apps can still get this information, but have to put some kind of persistent notification forward so users know exactly what has access to their information and when.

Android P will also include TLS by default, which secures data while in transit. Any Android P device will require TLS regardless of the app transmitting data. That's important, because not all the features of Android affect apps that target older versions of the operating system. That's not true, at least for TLS.

Similarly, Xin talked about how Android P will be the first major OS to have DNS over TLS built in. Working with the Jigsaw team, which created the DIY Outline VPN, this feature makes sure your data is securely delivered to a DNS resolver. A DNS resolver is basically a phone book for the web, which turns human readable URLs into machine-friendly IP addresses. By looking at DNS requests, ISPs and others can track your movements across the web. Not anymore with Android P.

Securing Keys and Biometrics

Google introduced native support for biometric login quite some time ago, but this was limited to just fingerprints. This was fine at the time, but new devices are using more than just fingerprint scanners to identify users, Xin pointed out.

Android P will include a new Biometric Prompt that will identify what biometrics are available on the device, and automatically choose an appropriate option for the user. This new universal prompt would even work with phones that have fingerprint readers embedded under the screen, raising a tantalizing possibility for future Android hardware.

Additionally, the Android version of Chrome will support WebAuthn and FIDO2. The practical upshot, explained Xin, is that users will be able to use their fingerprint to log in to websites through the browser.

Critical to expanding the use cases for phones is creating and securing cryptographic keys in a tamper-proof environment. Xin described the chips in payment cards as the gold standard for verifying in-person transactions. Google hopes to emulate that same assurance with the next version of Android.

"With Android P, we're now exposing APIs so more applications on Android can take advantage of this tamper-proof hardware," Xin said.

That hardware is essential for a new encryption key store called Strongbox. Xin said this will be like a secure element, and have isolated CPU, RAM, and secure storage. By emulating that gold standard, Xin said services like Google Transit could allow you to safely and confidently pay for a subway ride using a phone.

Related

Strongbox will also be used for keybound keys, which are used to encrypt data on the device, and decrypt it only when the device is unlocked. The life of those keys, said Xin, is tied to the lockscreen. So, as always, use your dang lockscreen.

Android P will also expand on cryptographic key attestations first introduced in Android Oreo. This allows apps to get critical information about the security of the device, the integrity of its keys, and whether it has been tampered with. For example, you could now get bit-for-bit verification of the OS and ensure that it's a safe version.

Looking Forward

Google has spent years making Android more secure, and it seems to be paying off. Not only can Google claim that it is meeting the competition on security, it is boldly proposing uses for phones that were unimaginable before. Whether that comes to pass, and if Android can really move past a sometimes iffy security reputation, will depend as much on convincing the world to trust it as much providing new technology.

About the Author

Max Eddy is a Software Analyst, taking a critical eye to Android apps and security services. He's also PCMag's foremost authority on weather stations and digital scrapbooking software. When not polishing his tinfoil hat or plumbing the depths of the Dark Web, he can be found working to discern the 100 Best Android Apps.
Prior to PCMag, Max wrote... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.